[ previous ] [ next ] [ threads ]
 
 From:  <lola at yais dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Traffic rules not working?
 Date:  Fri, 30 Jul 2004 12:11:02 +0200
> Von: "Jon Tackabury" <jtackabury at binaryfortress dot com>
> Datum: Thu, 29 Jul 2004 20:59:18 -0400
> An: <m0n0wall at lists dot m0n0 dot ch>
> Betreff: [m0n0wall] Traffic rules not working?
> 
> I have 3 interfaces.  LAN, WAN and OPT1.  I set the rules to "Block anything
> from anywhere to anywhere" on OPT1... but when I ping a PC from a PC on the
> LAN interface, somehow the ICMP reply packets are getting through... if I
> said to block all traffic coming in OPT1, shouldn't it block that?
> 

this is because of the default rule on the lan interface. lan is allowed to
connect to everthing everywhere. this rule "keeps state". this means that a
outgoing connection it is allowed to receive an answer even if incomming
connection are blocked.

read this:


http://www.phildev.net/ipf/IPFques.html#1

http://www.obfuscation.org/ipf/ipf-howto.html#TOC_20



> Also, how can I create a rule that says "Block this PC from the LAN to
> getting on the Internet".  I can create a rule that blocks them from getting
> to the "LAN Subnet" or the "OPT1 Subnet"... but there doesn't seem to be a
> way to block them from going out the WAN interface.
> 


on lan interface create the rule:


"block" from "ip_of_your_host" to "! (<- this means not) lan subnet"

this rule will block everything from the client which is not directed to the
lan, i.e. internet.



---

lola